Compliance regulations and general security concerns typically drive the need for businesses to enforce security policies across many computerized systems. This sector of the market is often referred to as Governance, Risk, and Compliance (GRC). Typically, part of GRC is ensuring that desired and/or required security policies are defined and enforced such that the desired workers have minimal and sufficient access to perform assigned tasks. Separation of Duty (SoD), also referred to as Segregation of Duty, is an example of one such policy. SoD typically refers to the policies, procedures, and organizational structure that help ensure that one person cannot independently control all key aspects of a process or computer-related operation and thereby conduct unauthorized actions and/or gain unauthorized access to assets or records without detection.
SoD policy enforcement can be used to prevent fraud and abuse by a single person. For example, SoD can help avoid fraud by preventing a single person from being assigned or being able to control some or all of the systems needed to commit fraud. A common example is that one person should not be able to both accept a loan application and approve a loan application. Having both of these rights could give a single person the opportunity to commit fraud by granting phony loans without any oversight. Typically, through the use of SoD policies, systems can be periodically checked for policy violations (e.g., conflicts in access rights).
Separation of Duty policies can vary, and can be enforced at different times. For example, Static SoD policies are typically enforced at the time access to an application is assigned, and Dynamic SoD (DSD) policies are typically enforced at the time the assigned rights are used. Traditional approaches to DSD enforcement require modification of the applications or systems where the DSD policy is to be enforced.